Internal Rules

Employee Probationary Period

Policy brief & purpose

This policy clarifies the rules, conditions, and expectations for employees during their probationary period.

Scope

This policy applies to all employees of our Company. The Company will make an effort to ensure that its hiring procedures serve the purpose of recruiting the best employees for each open position. The probation period gives both employees and employers enough time to find out if their new employment relationship will eventually work out to the benefit of both.

Policy Elements

Employees on Probation

Those who can be placed in an employee probationary period include the following

• New employees
• Current employees who are promoted to another position, including but not only when it comes to a position of higher responsibility

The length of the probationary period is up to 6 months. It will be clearly stated in the employment contract. During the probation period, the parties shall have all rights and duties as under a final employment contract. In the probation period not included in the time during which the employee has been on statutory leave, or has not performed the work for which the contract has been concluded for other valid reasons. An employment contract with a probation period with the same employee of the Company for the same position may be concluded only once.

Meaning of the Probation Period

The probationary period is the time between signing an employment contract and being granted final employment status – i.e. till the employment contract signed is considered concluded for indefinite period of time or, as the case may be, concluded for the fixed period of time set forth in the contract (in case of a fixed-term contract with probation period). It is a “trial period” during which the employee is being evaluated as a suitable fit for the position and the Company. A trial period clause may be envisaged in contracts concluded for an unlimited period of time as well as in fix term contracts. The respective employee who is under probation period will be given consistent feedback and coaching to have the chance to learn their new job and improve during the probationary period.

Before the end of the probation period, the manager will determine if the employee should be retained in the organization. This decision will be made by appraising the following criteria:

• The skills, competencies, and knowledge of the employee on the job
• The employee’s progress on given assignments
• Their reliability, trustworthiness, and other relevant personality characteristics of the employee
• The employee’s relations and collaboration with subordinates, supervisors, and peers

However, the Company does not have the duty to justify its decision to retain the employee or not.

Procedure

• If the employee is deemed unsuitable while on a probationary period, the employee may be terminated without the minimum prior notice mandated by law or provided for in the individual employment contract.
• Termination may occur before the ending of the probationary period.
• The employee will be officially notified in writing for the decision to terminate them.
• Employees may still have to be dismissed for various reasons, after the end of the probationary period. In such cases, the company will follow labor law, legal guidelines, and its own separation of employment policy.

Policy violation

In case the employee does not comply with the conditions of our Probationary Period, the following action will be taken:

• Termination of Employment

Employee Code of Conduct

Policy brief & purpose

As an employee, you are responsible to behave appropriately at work. This policy outlines our expectations towards employee's conduct. We can’t cover every single case of conduct, but we trust you to always use your best judgment. Reach out to your manager or HR if you face any issues or have any questions.

Scope

This policy applies to all employees.

Dress Code

Policy Elements

These dress code rules always apply:

• All employees must be clean and well-groomed.
• All clothes must be work-appropriate. Clothes that are typical in workouts and outdoor activities aren’t allowed.
• All clothes must project professionalism. Clothes that are too revealing or inappropriate aren’t allowed.
• Our company’s official dress code is Casual.
• If you frequently meet with clients or prospects, please conform to a more formal dress code. We expect you to be clean when coming to work and avoid wearing clothes that are unprofessional (e.g. workout clothes, too short or too revealing).
  

As long as you conform with our guidelines above, we don’t have specific expectations about what types of clothes or accessories you should wear.

Policy Violation

In case the employee does not follow the Dress Code, the following action will be taken:

• Disciplinary action

Physical Access Control

Policy brief & purpose

Our Access Control policy outlines our rules for receiving visitors at our premises. We want to ensure that visitors will not:

• Pose threats to our premises and property
• Distract employees from their work
• Be exposed to danger

Scope

The policy applies to all employees, contractors, trainees, partners, customers and all other visitors. The access control is granted by one Employee - the Assets Security Agent. In their absence - by the Office Manager. Employees, except the Security Guard and the Office Manager may not allow access to our building to unauthorized visitors.

Policy Elements

• Access of Employees

Each Employee shall access the premises with their own access chip. In case of a forgotten or lost chip, you should approach immediately the Assets Security Agent or, in their absence, - the Office Manager. Employees are not allowed to let in their colleagues, that do not have their own access chip on the premises or to exchange their access chips. Each access chip is unique and personal.

• Access of Contractors / Freelancers - Temporary assignments

When arrives, the visitor is registered in the visitor's software Teems by the Assets Security Agent and receives a personal chip for the day. At the end of the working hours, the visitor shall return the chip to the Assets Security Agent.

• Access of visitors - Partners / Customers / Candidates

Each visit shall be registered by the Assets Security Agent in the visitor software Teem, where the visitor signs an NDA / GDPR agreement. At each visitor registration, the host should be selected in the Platform. Then, the host receives an email and should accompany their visitors from the Lobby to the premises of the meeting. When the visit is over, the Employee is responsible for accompanying the visitor back to the lobby. For each visitor, a badge is printed containing the name of the person and a photo of them. The visitors shall wear the badge throughout their visit to the office. No visitors are allowed to walk on the premises by themselves.

• Access of couriers

Couriers are not allowed to enter on the office floors, except for huge packages. All Company packages and correspondence should be accepted by the Assets Security Agent and then dispatched twice a day by the Office Manager. Couriers that dispatch personal orders of Employees, should contact directly the employees and wait for them to pick up the packages in the lobby.

• Validate Visitor's Identity

Visitor shall provide their ID card to Assets Security Agent in order for their identity to be validated. This data won't be stored or kept by Secure Group Lab OOD.

• Pre-approved Visitors

Guests of the Managing Directors, Government or other institutional representatives or other special guests may pass without having to register. For these cases, the person that invites them shall fill in a pre-registration form at the moment they create the meeting.

Policy Violation

In case the employee does not follow this policy, the following action will be taken:

• Disciplinary action / Other administrative actions if the behavior of the Employee led to a security breach that had negative consequences for the company.

Cybersecurity and digital devices

Take security seriously: Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. We can all contribute to this by being vigilant and keeping cybersecurity top of mind.

Policy Elements

There are guidelines for using computers, phones, our internet connection, and social media to ensure security and protect our assets. This category, as an exception, applies to all our employees, contractors and anyone who has permanent or temporary access to our systems and hardware.

Confidential data

Confidential data is secret and valuable. Common examples are:

• Unpublished financial information
  
• Data of customers/partners/vendors
  
• Patents, formulas or new technologies
  
• Customer lists (existing and prospective)
  

All employees are obliged to protect this data. In this category, we will give our employees instructions on how to avoid security breaches

Protect personal and company devices

When employees use their digital devices to access company emails or accounts, they introduce security risks to our data. We advise our employees to keep both their personal and company-issued computer, tablet and cell phone secure. They can do this if they:

• Keep all devices password protected.
• Ensure they do not leave their devices exposed or unattended.
• Log into company accounts and systems through secure and private networks only.
• Avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.

Manage passwords properly

Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. We use a password management tool that generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the abovementioned advice.

Transfer data securely

Transferring data introduces security risk. Employees must:

• Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask our System Administrators for help.
• Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
• Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
• Report scams, privacy breaches and hacking attempts.

Our System Administrators need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our System Administrators must investigate promptly, resolve the issue and send a companywide alert when necessary.

Additional measures

To reduce the likelihood of security breaches, we also instruct our employees to:

• Turn off their screens and lock their devices when leaving their desks.
• Report stolen or damaged equipment as soon as possible to HR and Employee Experience Expert
• Change all account passwords at once when a device is stolen.
• Report a perceived threat or possible security weakness in company systems.
• Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.
• Avoid accessing suspicious websites.
• We also expect our employees to comply with our social media and internet usage policy.

Our System Administrators will:

• Install firewalls, anti-malware software, and access authentication systems.
• Arrange for security training to all employees.
• Inform employees regularly about new scam emails or viruses and ways to combat them.
• Investigate security breaches thoroughly.
• Follow these policies provisions as other employees do.

Remote employees

Remote employees must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards, and settings, and ensure their private network is secure. We encourage them to seek advice from our System Administrators.

Policy Violation

In case the employee does not follow the Cybersecurity measures, the following action will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment: if a severe violation

If we suspect employees are engaged in suspicious or unethical activities, we reserve the right of investigating any sort of communication that occurred inside the Company's facilities or through the Company's devices.

Internet usage

Policy elements

What is appropriate employee internet usage?

Our employees are advised to use our company’s internet connection for the following reasons:

• To complete their job duties.
• To seek out information that they can use to improve their work.
• We expect our employees to remain productive at work while using the internet.
• Any use of our network and connection must follow our confidentiality and data protection policy.

What is inappropriate employee internet usage?

Our employees must not use our network to:

• Browse, download or upload obscene, offensive or illegal material.
• Send confidential information to unauthorized recipients.
• Invade another person’s privacy and sensitive information.
• Download or upload copyrighted material and software.
• Visit potentially dangerous websites that can compromise the safety of our network and computers.
• Perform unauthorized or illegal actions, like hacking, fraud, buying/selling illegal goods and more.

We also advise our employees to be careful when downloading and opening/executing files and software. If they’re unsure if a file is safe, they should ask the System Administrators. Employees must not deactivate or configure anti-virus settings and firewalls without managerial approval. We won’t assume any responsibility if employee devices are infected by malicious software, or if their personal data are compromised as a result of inappropriate employee use.

Company-issued equipment

We expect our employees to respect and protect our company’s equipment. “Company equipment” in this computer usage policy for employees includes company-issued phones, laptops, tablets, and any other electronic equipment, and belongs to our company. We advise our employees to lock their devices in their desks when they’re not using them. Our employees are responsible for their equipment whenever they take it out of their offices.

Policy Violation

In case the employee does not follow the Internet usage measures, the following action will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment and legal action: if a severe violation

Examples of severe violations are:

• Using our internet connection to steal or engage in other illegal activities.
• Causing our computers to be infected by viruses, worms or other malicious software.
• Sending offensive or inappropriate emails to our customers, colleagues or partners.

Cellphone

Policy elements

We allow the use of cell phones at work. Personal phone use is allowed for not more than 2 mins. This is to make sure you can take phone calls in case of an emergency related to your family. You must not get distracted from your work. You must not disturb the other people in the room by making personal phone calls. You need to always make them on your break. Employees use company-issued phones for business purposes only and preserve them in perfect condition.

We won’t allow employees to:

• Play games on the cell phone during working hours.
• Use their cell phone’s camera or microphone to record confidential information.
• Use their phones in areas where cell use is explicitly prohibited
• Speak on their phones within earshot of colleagues’ working space during working hours.
• Download or upload inappropriate, illegal or obscene material on a company cell phone using a corporate internet connection.

Policy Violation

Our company will monitor employees for excessive or inappropriate use of their cell phones. If an employee’s phone usage causes a decline in productivity or interferes with our operations, we’ll ban that employee from using their cell phones during working hours and the following action will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment: if a severe violation

Examples of severe violations are:

• Cause a security breach.
• Violate our confidentiality policy.

Corporate e-mail

Policy Elements

Corporate emails are powerful tools that help employees in their jobs. Employees should use their company email primarily for work-related purposes. We will define what constitutes appropriate and inappropriate use.

Inappropriate use of company email

Our employees represent our company whenever they use their corporate email address. They must not:

• Sign up for illegal, unreliable, disreputable or suspect websites and services.
• Send unauthorized marketing content or solicitation emails.
• Register for a competitor’s services unless authorized.
• Send insulting or discriminatory messages and content.
• Intentionally spam other people’s emails, including their coworkers.

Our company has the right to monitor and archive corporate emails.

Appropriate use of the corporate email

Employees are allowed to use their corporate email for work-related purposes without limitations to:

• Communicate with current or prospective customers and partners.
• Log in to purchased software they have legitimate access to.
• Give their email address to people they meet at conferences, career fairs or other corporate events for business purposes.
• Sign up for newsletters, platforms and other online services that will help them with their jobs or professional growth.

Email security

Email is often the medium of hacker attacks, confidentiality breaches, viruses, and other malware. These issues can compromise our reputation, legality, and security of our equipment. Employees must always be vigilant to catch emails that carry malware or phishing attempts. We instruct employees to:

• Avoid opening attachments and clicking on links when content is not adequately explained (e.g. “Watch this video, it’s amazing.”)
• Be suspicious of clickbait titles.
• Check the email and names of unknown senders to ensure they are legitimate.
• Look for inconsistencies or style red flags (e.g. grammar mistakes, capital letters, an excessive number of exclamation marks.)

If an employee isn’t sure that an email they received is safe, they can ask our System Administrators.

Email signature

We encourage employees to use the email signature from Secure Group that exudes professionalism and represents our company well. Employees dealing with sales and executives, who represent our company to customers and stakeholders should pay special attention to how they close emails.

Policy Violation

In case the employee does not follow the Corporate email measures, the following action will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment: if a severe violation

Examples of severe violations are:

• Using a corporate email address to send confidential data without authorization.
• Sending offensive or inappropriate emails to our customers, colleagues or partners.
• Using a corporate email for illegal activity.

Social media

Policy Elements

We want to provide practical advice to prevent the careless use of social media in our workplace. We address two types of social media use:

• Using personal social media at work
• Representing our company through social media.

Using personal social media at work

You are permitted to access your personal accounts at work. But, we expect you to act responsibly, according to our policies and ensure that you stay productive. Specifically, we ask you to:

• Discipline yourself. Avoid getting sidetracked by your social platforms.
• Ensure others know that your personal account or statements don’t represent our company. For example, use a disclaimer such as “opinions are my own.”
• Avoid sharing intellectual property (e.g trademarks) or confidential information. Ask your manager before you share company news that’s not officially announced.
• Avoid any defamatory, offensive or derogatory content. You may violate our company’s anti-harassment policy if you direct such content towards colleagues, clients or partners.

Representing our company through social media

We expect you to protect our company’s image and reputation. Specifically, you should:

• Be respectful.
• Avoid speaking on matters outside your field of expertise when possible.
• Follow our confidentiality and data protection policies and observe laws governing copyrights, trademarks, plagiarism, and fair use.

Policy Violation

We manage and monitor all social media postings on our corporate accounts. In case the employee does not follow the Social Media measures, the following actions will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment: if a severe violation

Examples of non-conformity with the employee social media policy include but are not limited to:

• Disregarding job responsibilities and deadlines to use social media
• Disclosing confidential information through personal or corporate accounts
• Directing offensive comments towards other members of the online community

Conflict of Interest

Policy Elements

Conflict of interest may occur whenever an employee’s interest in a particular subject may lead them to actions, activities or relationships that undermine the company and may place it to disadvantage.

What is an employee conflict of interest?

This situation may take many different forms that include, but are not limited to, conflict of interest examples:

• Employees’ ability to use their position with the company to their personal advantage
• Employees engaging in activities that will bring direct or indirect profit to a competitor
• Employees owning shares of a competitor’s stock
• Employees using connections obtained through the company for their own private purposes
• Employees using company equipment or means to support an external business
• Employees acting in ways that may compromise the company’s legality

When an employee understands or suspects that a conflict of interest exists, they should bring this matter to the attention of management so corrective actions may be taken. Managers must also keep an eye on potential conflicts of interest of their subordinates. The responsibility of resolving a conflict of interest starts with the immediate manager and may reach senior management. All conflicts of interest will be resolved as fairly as possible. Senior management has the responsibility for the final decision when a solution can not be found. In general, employees are advised to refrain from letting personal and/or financial interests and external activities come into opposition with the company’s fundamental interests.

Policy Violation

In case the employee does not follow the Conflict of interest measures, the following actions will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment: if a severe violation

Employee relationships

Policy Elements

Before you date a colleague

Before you decide to date a colleague, please consider any problems or conflicts of interest that may arise. For example, if you’re working with a colleague on an important project, a relationship between the two of you (or a possible breakup) could affect your work.

When you begin dating a colleague

HR won’t get involved in your private lives and will always be discrete. You don’t need to tell us if you go on a few dates with a colleague or become involved, as long as there’s no disruption in the workplace or your own work. Also, make sure to:

• Keep your personal issues and discussions out of the workplace.
• Be productive and focused as always.

Acceptable behavior

Our workplace is still a professional setting. We expect our employees to treat each other with respect and avoid hindering other people’s work. If you want to express your romantic interest in a colleague, don’t do anything that may embarrass or expose them and always respect their time and choices. If a colleague is persistent in flirting with you and becomes annoying or disturbs your work, ask them to stop and inform your manager if they continue. Please report them to HR if they make unwanted sexual advances. Sexual harassment is prohibited, including seemingly harmless actions.

Policy Violation

In case the employee does not follow the Employee relationship measures, the following actions will be taken: Corrective Action Plan (CAP)

Workplace measures

Policy Elements

Visitors

• You cannot have personal visits to your workplace.
• You cannot bring family members at your workplace.
• You can always meet family members in case of an emergency on your break out of the office space.
• Pets are not allowed in the office.

Workplace code

• Food at the workplace is not allowed unless it is a snack.
• You cannot eat your breakfast or lunch at your desk.
• You must have your breakfast and lunch in the cafeteria.
• You must bring your coffee mugs and water cups to the kitchen sinks at the end of the day.
• Every day you must check the windows and AC in your room to be switched off and closed.
• You must leave your workplace clean at the end of your workday.
• You are responsible for keeping your desk organized and free from any non-related working items

Policy Violation

In case the employee does not follow the Employee relationship measures, the following actions will be taken: Disciplinary action (see page 66) if minor violation Corrective Action Plan (CAP) (see page 69) if a severe or frequent violation

Solicitation and Distribution

Policy Elements

Solicitation is any form of requesting money, support or participation for products, groups, organizations or causes which are unrelated to our company. These include but are not limited to:

• Seeking funds or donations for a non-profit organization
• Asking for signatures for a petition
• Selling merchandise or services
• Requesting support for a political candidate
• Engaging in religious proselytism

We prohibit the solicitation of any kind such as:

• Selling goods for personal profit.
• Requesting support or funding for political campaigns.
• Unauthorized posting of non-work related material on company bulletin boards.
• Solicitation or distribution of non-business literature.
• Proselytizing others to any religious groups.
• Employees may refer to any questions or doubts to the Office Manager.

Policy Violation

In case the employee does not follow the Employee relationship measures, the following actions will be taken:

• Disciplinary action: if a minor violation
• Termination of Employment: if a severe or frequent violation

Severe violations include but are not limited to:

• Soliciting in our workplace during working hours for illegitimate reasons.
• Making colleagues uncomfortable by being overly persistent.
• Distributing material that contains hate or other offensive speech.
• Embezzling or mishandling donations by other employees for events or causes.

Substance Abuse and Drug Testing Policy

Policy brief & purpose

Secure Group is a drug and alcohol-free environment because we value the health and safety of all of your employees. We understand that any employee that may be working under the influence of alcohol or drugs could injure himself or other employees. We also believe that alcohol or drug impairment impacts all aspects of an employee’s life negatively. These negative impacts, such as broken families, cannot help but flow over into the workplace and manifest as absenteeism, lower productivity, and damaged relationships. This policy has the objective of explaining what are the measures that we take to avoid any substance or drug abuse.

Scope

All employees must abide by the provisions of this policy.

Policy Elements

Illegal drugs, prescription as well as over-the-counter drugs fall into the “substances” category. We also place restrictions on alcohol consumption. While working, it's extremely forbidden to:

• Possess, use or be under the influence of alcohol or drugs. You can consume alcohol in moderation while in approved business meetings or social gatherings.
• Sell, buy, transfer or distribute drugs.
• Abuse prescription drugs while at work.

Procedure

If there's any suspicion about drug or alcohol abuse in the workplace, we will ask the relevant employee to leave the office and to return the next day if there's a condition for that. Here are instances that constitute reasonable suspicion:

• Abnormal behavior.
• Physical evidence of drugs and alcohol or observation (including odors.)
• Patterns of failing to complete a task due to confusion or disorientation.
• Reports from colleagues that an employee admitted to using drugs, was seen using drugs or was shown to be under the influence at work.

If you see that your prescription drugs unexpectedly affect your senses, thinking or movements, please ask for time off. To ensure we enforce this policy, we ask managers to keep detailed, verifiable records of drug-related incidents, behaviors or reports.

Policy violation

In case the employee does not follow this policy, the following action will be taken:

• Corrective Action Plan (CAP): if a minor violation
• Termination of Employment(see page 63): if a frequent or severe violation

Note that if you become inebriated and behave inappropriately towards colleagues, customers or stakeholders, we will terminate your contract immediately.

Employee Attendance and Working Hours Policy

Policy brief & purpose

This policy explains what are the criteria for employees attendance and which actions should be taken in case the working hours are not completed.

Scope

This policy applies to all employees that are hired under a full-time contract. The employees working in shifts are not eligible for this policy.

Policy Elements

Working hours

Our employees work five days a week under the conditions of 8-hours working day. You can take advantage of the Flexible Working Time opportunity, which allows you to start work between 08.00 and 10.00 am, and finish work accordingly, from 17.00 to 19.00 unless it is otherwise specified. If you work in the Partner Success department, you will follow a shift schedule as needed.
Our employees can take the following breaks at work:

• Lunch breaks. We provide all employees with a 60 min meal break. They need to take it between 12.00 pm and 14.00 pm. Lunch breaks are not included in the working hours. If possible, schedule these breaks in advance so your team will know when you will be unavailable. For certain positions, we may schedule lunch breaks to avoid any negative impact on our operations.
• Rest breaks. Employees can take 2 breaks 15 minutes each during the day. Rest breaks are included in your working hours.
• If you need to perform any kind of work (e.g. a meeting, a call, etc.) we expect you to take your break before or after.

The positions/employees for which flexible working hours are applicable are always determined by an ordinance of the managers. You can have flexible working hours unless otherwise specified. The opportunity for flexible working hours may be at any time withdrawn for certain positions/employees upon the discretion of the managers if they consider that there are objectives, other reasons which require to do so or if the employee is under a CAP.
It is very important to respect any scheduled meetings and attend them on time. You can work overtime only if you were specifically asked to do that, and your role and duties require that. Overtime work shall be in any case performed in compliance with the rules of the labor legislation.

Employee Attendance

All employees need to collaborate with their colleagues to do their job. To make this collaboration easier, we expect you to be punctual and follow the schedule you and your manager have agreed on. If you are absent, late on occasion or you need to leave early, you need to have a good reason and must inform your manager.

What are absenteeism and tardiness?

• Absenteeism refers to frequent absence from an employee’s job responsibilities.
• Tardiness refers to coming in late, taking longer breaks than you’re entitled to and constantly leaving earlier from work without reason.

You are responsible to record and monitor your working hours.

Unforeseen absences

If you can’t come into work one day, notify the Employee Experience Expert as soon as possible. Please record this in BambooHR as quickly as possible. Unexcused or unreported absence for more than three days will be considered job abandonment. We will understand if you have good reasons for being absent, even if you don’t report it. Those reasons involve serious accidents and family or acute medical emergencies. We will ask you to bring us doctor’s notes or other verification.
The following list includes reasons that we don’t consider good reasons for being absent:

• Waking up late.
• Stopping on the way to work for personal reasons.
• Bad weather.
• Holidays that haven’t been approved.

Procedure

If there's any suspicion about drug or alcohol abuse in the workplace, we will ask the relevant employee to leave the office and to return the next day if there's a condition for that. Here are instances that constitute reasonable suspicion:

• Abnormal behavior.
• Physical evidence of drugs and alcohol or observation (including odors.)
• Patterns of failing to complete a task due to confusion or disorientation.
• Reports from colleagues that an employee admitted to using drugs, was seen using drugs or was shown to be under the influence at work.

If you see that your prescription drugs unexpectedly affect your senses, thinking or movements, please ask for time off. To ensure we enforce this policy, we ask managers to keep detailed, verifiable records of drug-related incidents, behaviors or reports.

Policy violation

In case the employee does not follow this policy, the following action will be taken:

• Corrective Action Plan (CAP): if a minor violation
• Termination of Employment(see page 63): if a frequent or severe violation

Note that if you become inebriated and behave inappropriately towards colleagues, customers or stakeholders, we will terminate your contract immediately.

Procedure

• If you are late for work and will arrive before 10h30am, you need to inform your manager and compensate at the end of the working day.
• If you are late for work and will arrive after 10h30am, you need to take half the day-off that will be subtracted from your available paid-leave days and it should be recorded in BambooHR.
• If you need to leave early, you must inform your manager and compensate for the absent hours within a week

Manager’s responsibility

• If you manage employees you are responsible to monitor their attendance. If you notice that a team member is consistently late or absent, arrange a private meeting to discuss.
• If you suspect that your team member abuses their sick leave or is wilfully tardy, you should inform HR and start a progressive discipline process.

Policy violation

In case this policy is not abode by employees the following actions will be taken: Disciplinary action: if a minor violation Corrective Action Plan (CAP): if severe and/or frequent violation

Shiftwork Policy

Policy brief & purpose

This policy explains what are the criteria for employees' attendance when working in shifts.

Scope

This policy applies to all employees that are eligible to work in shifts.

Policy Elements

Working hours

Our employees work the conditions of 40-hours per week and following the specified rules of the Bulgarian Labor Code.
Employees under this working model should follow the availability time, during which they can be outside the company, but should be available and immediately arrive at their workplace.

Procedure

• Your shift will be scheduled through BambooHR and you should follow as it's defined
• Employees that work in shifts should be available, with easy access to a phone/laptop in case of an emergency such as repairs in the system, failure in the server, etc. The employees might be asked to come to the premises of the company, depending on the severity of the situation.

Policy violation

In case this policy is not abode by employees the following actions will be taken: is policy is not abode by employees the following actions will be taken:

• Disciplinary action: if a minor violation
• Corrective Action Plan (CAP): if severe and/or frequent violation

Overtime Policy

Policy brief & purpose

This policy explains what are the conditions and requirements for employees when overtime hours are needed/ requested.

Scope

This policy applies to all employees that are hired under a full-time contract.
The employees working in shifts are not eligible for this policy.

Policy Elements

Our employees work five days a week under the conditions of the 8-hours working day. In some specific cases, you might need to stay overtime in the office so you can request overtime hours in BambooHR. Our employees can request overtime hours in case:

• Some urgent task needs to be completed
• One project has to be delivered and it requires extra effort
• Every three months, the overtime hours are calculated and the employee will be granted the equivalent amount of time off.

Procedure

• You have to request overtime hours by logging a request in BambooHR.
• The request needs to be done as you or your manager realize the need. Please note: if you're the requester, your manager will need to approve the overtime hours.
• You must get the request approved by your direct manager before working overtime.

Policy violation

Overtime is guaranteed by the Bulgarian Labor Law, therefore there are no consequences if you require them.

Employee Time Off Policy

Policy brief & purpose

This policy explains what are the conditions and requirements for employees to have time off from work.

Scope

This policy applies to all employees.

Policy Elements

Paid Time off

Our company will grant 20 days (1.67 days per month * 12 months) of paid leave. They are to be taken proportionally throughout the year. For E.g. in the end of March you have 3 times (January, February and March) 1.67 days to take.
We offer 1 extra day for every year you are with Secure Group. The extra day will be available for the employees to request, once they complete each year with us. For example, if one employee starts working in June/2023, then in June/2024 the extra day will appear in the system to be claimed.
We give a day off on your birthday as a benefit so you can enjoy a day off on the date of your birthday. This benefit is applicable to full-time employees that already passed probation. This benefit does not apply to employees under a CAP, under a notice period, or if the employee presents any behavior that violates our code of conduct.

Procedure

You have to request days off by logging a request in BambooHR. The request needs to be done at least 2 weeks prior unless it is an emergency. You must get the request approved by your direct manager before taking these days. After you get it approved, you must sign that request on paper with the Office Manager. It is not permitted to have 2 people from the same team taking days off at the same time. Please try to use your Paid leave throughout the year and not accumulate your entire leave for the end. Unused Paid leave may be passed on to the next calendar year partially. In some cases, an employee may use up all their Paid leave and still need to be absent from work. In such cases, we may consider granting that employee unpaid time off.

National Holidays

Our company observes the Bulgarian holidays. These holidays are days off for employees unless a particular department of our company must operate during these days.

Procedure

National Holidays have already been registered automatically in BambooHR. There's no action needed by our employees.

Sick Days

Our employees may be unable to perform their duties if they get sick. Our company follows legal guidelines that apply to sick days.

Procedure

If you are sick, you must inform the Office Manager as soon as possible. They will further inform your direct manager, and log it in BambooHR. You should also inform the Office Manager for how long you’ll be absent.

Policy violation

Time off is guaranteed by the Bulgarian Labor Law, therefore there are no consequences when it's required.

Remote Office Policy

Policy brief & purpose

This policy has the objective of clarifying the eligibility, conditions, and requirements for employees that want to work from home on certain days.

Scope

Our employees are allowed to work remotely from home only if their job duties permit it and upon additional agreement with the employer. You are not eligible to work remotely if you need to be in direct physical contact with other employees or team members. Therefore, the employer is entitled due to this fact and considering the specifics and the needs of the working process in the Company and in particular those related to your work to deny giving consent for some employees to work remotely from home. The employees working in shifts are not eligible for this policy.

Policy Elements

• Employees can take days to work remotely during the year only upon approval by the manager at BambooHR.

Remote Office is a company benefit that will give you a better work/life balance. Remote Office needs to be done with a clear plan of what you work on that day. You must be available to communicate with your manager and team members all the time during the working hours of the Company as you are in the office.
You cannot benefit from Remote Office if:

• You have to take care of your young children at home, or
• You need to be somewhere else doing something else besides work, or
• The Remote Office days are not taken in a row
• The Company has doubts that you use working time also for purposes not related to your work.
• The Company has the right to deny to give approval for certain days/cases for objective reasons:
• You are under a Corrective Action Plan (CAP).

Procedure

When employees plan Remote Office days, this procedure must be followed:

• Employees file a request through BambooHR in advance and with the description of the activities they will focus on a specific day

Management will consider the following elements:

• Is the employee eligible by the nature of their job?
• Are there any cybersecurity and data privacy concerns?
• Will collaboration with the employee’s team become difficult?
• Do employees have the necessary equipment or software installed at home?
• What are the conditions of employees’ home (noise, internet connection. etc.)?
• Their direct manager/supervisor approves or rejects the request considering all elements as mentioned above.
• Direct manager approves or rejects the request considering all elements as mentioned above.

At any time during the workday Employees need to be ready for a call with the proper equipment in a noise free environment. Test your equipment before you start your work. In case you do not have proper environment to conduct your work, you need to be in the office or take a day off.
Employees might be called in the office for meeting. Management  will make sure that these are organized in a small group, with proper distance. In case you cannot attend, you need to take a day off. Chatting on Skype must be kept to a minimum as it is proven inefficient in many cases. Management is expecting from employees to schedule daily calls. These need to be scheduled properly using our calendar tool and be visible for all employees.

• Time sheets in JIRA are mandatory for all employees.
• Home office planner has to be done for every employee.

Please keep in mind that Remote office work is always under revision by management. In case management decides that you cannot work from home, you might be asked to take paid or unpaid days off.
Please do not hesitate to talk to your manager regarding this information. For all issues related to the working remotely which are not explicitly regulated in this policy, the provisions of the relevant provisions of the Bulgaria Labour Code shall apply.

Policy Violation

In case the employee does not follow the Remote Office requirements, the following action will be taken:

• Disciplinary action and suspension of the benefit if a minor violation
• Corrective Action Plan (CAP): if a severe violation.

Smoke-Free Workplace Policy

Policy brief & purpose

This policy explains what are the accepted conditions for smoking in the surroundings of the office.

Scope

This policy applies to all employees. Our employees who smoke need to follow this policy so they will:

• Protect non-smokers from second-hand smoking
• Avoid setting off alarms and smoke detectors
• Preserve an image of a clean workplace
• Avoid fires from discarded cigarettes

We’ll follow any legal guidelines regarding indoor smoking.

Policy Elements

Our policy refers to all tobacco products. As a general rule, smoking is prohibited indoors at any time. This rules refers to:

• Working areas
• Hallways
• Staircases
• Restrooms
• Kitchen and Cafeterias

Procedure

We permit smoking during breaks at:

• Balconies
• Any outer premises including yards and sidewalks outside of our building.

If you smoke you must:

• Extinguish their cigarettes and discard them only in appropriate ashtrays.
• Avoid smoking near flammable objects and areas.

Policy Violation

In case the employee does not follow this policy, the following actions will be taken:

• Disciplinary action and suspension of the benefit if a minor violation
• Corrective Action Plan (CAP): if a severe violation.

Employee Referral Program Policy

Policy brief & purpose

Compared to other recruiting strategies, our employee referral program has a higher return on investment (ROI). Employee referrals are a great way to improve our time, cost and quality of hire. This policy clarifies the conditions for referring candidates to our selection process.

Scope

This Employee Referral Program Policy applies to employees who refer a candidate to our company. It does not apply to employees working in the HR department or that are involved in the Selection process, or that were part of a Marketing campaign/initiative.

Policy Elements

Secure Group considers referrals the best way to attract talent. We already trust our employees’ judgment at work – why not trust them about who will be a good addition to our team? And given the effect of personal relationships on team spirit, why not count on relationships that are already good?
Now, we introduce tiers, depending on the position of the referred person. Naturally, some roles are key to our operations and call for a bigger reward if someone tips us off about top talent in these fields.

For referring a candidate for a Management position or in the Android Development framework, team members will receive the equivalent of a monthly salary (in NET leva) for the new hire:

• 30% on the new hire's first day of work
• 30% when they make one year in the company
• 40% when they make two years in the company

For referring a candidate for all other IC positions, team members will receive the equivalent of a monthly salary (in NET leva) for the new hire:

• 30% on the new hire's first day of work
• 30% when they pass the probation period in the company
• 40% when they make one year in the company

Procedure

In order to refer a person to work in Secure Group, you should communicate with our Recruitment team and share the curriculum vitae of the candidate. A brief explanation of why you believe the person will be a valuable asset to Secure Group may be required for the documentation of the Selection Process.

Policy Violation

This policy is optional and there are no consequences if employees do not refer candidates

Moonlighting Policy

Policy brief & purpose

The main purpose of this policy is to set out the expectation we have on how employees will treat their work at our business as their primary job and will not allow other jobs to interfere with the performance of the primary job.

Scope

• This policy applies to our employees.
• This policy applies to lawful activities. We will take legal action if you use our company’s equipment, resources or information to support any illegal activities.

Policy Elements

We want our employees to be transparent about their side jobs so we can prevent conflicts with their main jobs more easily. Our main rule is that our employees must treat their job in our company as their primary occupation. Any other job should come second. With this rule in mind, our employees must not:

• Take up a job or project with our competitors. Doing so will violate our non-compete agreement and we will terminate you.
• Take up a job or project if its working hours overlap with those of their main job. We expect you to use your working hours to work for our company only.
• Take up a job or project that’s so demanding it interferes with the main job duties. For example, if you’re too tired to do your main job properly, you will face negative performance reviews.
• Take up a job or project that could create a conflict of interest. For this reason, we advise against working for or with our company’s clients, vendors or contractors outside your job.

Procedure

What you should do if you want to take up side jobs

We define a side job as paid, regular work (temporary or permanent) with specific job responsibilities. For example, working at a coffee shop qualifies as a side job if you are expected to work there regularly, regardless of whether you have pre-determined shifts or a fixed number of hours. Managing a business, working as a consultant or advisor to companies and serving as a board member of an organization falls under our definition too.
When you want to (or have taken) a side job, you must inform HR and your manager to help us ensure you don’t inadvertently violate this policy.

Using company equipment and resources

Employees must not use company equipment, resources or materials for their outside activities. Using or disclosing our confidential or proprietary information outside the scope of your job with us is prohibited.

Policy Violation

In case the employee does not follow this policy, the following action will be taken:

• Corrective Action Plan (CAP)
• Termination of Employment and legal action: if an extremely severe violation

Anti-discrimination Policy

Policy brief & purpose

Our anti-discrimination policy explains how we prevent discrimination and protect our employees, customers, and stakeholders from offensive and harmful behaviors. This policy supports our overall commitment to creating a safe and happy workplace for everyone. Our company complies with all anti-discrimination laws. We explicitly prohibit offensive behavior and disrespectful behavior.

Scope

This policy applies to all employees, contractors, visitors, customers, and stakeholders.

Policy Elements

Discrimination is any negative action or attitude directed towards someone because of protected characteristics, like race and gender. Other protected characteristics are:

• Age
• Religion
• Ethnicity/ nationality
• Disability/ medical history
• Marriage / civil partnership
• Pregnancy / maternity/ paternity
• Gender identity/ sexual orientation

Discrimination and harassment

Our anti-discrimination and anti-harassment policies go hand-in-hand. We will not tolerate any kind of discrimination that creates a hostile and unpleasant environment for employees, customers or partners. Here are some instances that we consider discrimination:

• Employees making sexist comments.
• Employees sending emails disparaging someone’s ethnic origin.

We will not be lenient in cases of assault, sexual harassment or workplace violence, whether physical or psychological. We will terminate employees who behave like this immediately.

Procedure

Actions to prevent discrimination

To ensure that our conduct and processes are fair and lawful, we:

• Use inclusive language in job ads
• Set formal job-related criteria to hire, promote and reward team members.
• Offer compensation and benefits according to position, seniority, qualifications, and performance, not protected characteristics.
• Require managers to keep detailed records of their decisions concerning their team members and job candidates.

What to do in cases of discrimination

If you are the victim of discriminatory behavior (or if you suspect that others are being discriminated against,) please talk to the HR or your direct manager as soon as possible. HR is responsible for hearing your claim, investigating the issue and determining the consequences.
Punishment for discriminatory behavior depends on the severity of the offense.

How we address discrimination complaints

HR is proactive and responsive to determining whether discrimination occurs. We will look into similar claims about the same person or process to determine if discrimination is systemic. We will investigate all claims discreetly. We will never disclose who made a complaint to anyone or give out information that may help others identify that person (e.g. which department or role they work in.) We should all strive to prevent and address discrimination. Be aware of your implicit biases and speak up whenever you or your colleagues are discriminated against.

Policy Violation

In case this policy is not abode by employees the following actions will be taken (depending on the severity of the behavior):

• Disciplinary action: if a minor violation
• Corrective Action Plan (CAP): if a severe violation
• Termination of Employment: in case of workplace violence

Violence In The Workplace Policy

Policy brief & purpose

It's in Secure Group's priorities to provide a safe workplace for employees and for visitors to the workplace. This policy explains what are the non-accepted type of violent behavior and the consequences for it.

Scope

This policy applies to all employees.

Policy Elements

“Workplace violence” refers to physical acts of violence or threats to harm a person or property. Abusive behaviors, whether verbal, psychological or physical, are also considered violence. More specifically:

• Verbal abuse can be using unwelcome, embarrassing, offensive, threatening or degrading language.
• Psychological abuse is an act that provokes fear or diminishes a person’s dignity or self-esteem.
• Sexual abuse is any unwelcome verbal or physical assault.

Examples of violent behavior among co-workers include but are not limited to:

• Intimidating or bullying others
• Abusive language
• Physical assault
• Threatening behavior
• Concealing or using a weapon
• Sexual or racial harassment

Procedure

Our company doesn’t tolerate violence. Employees must report any concerns or violent acts to HR as soon as possible.

Policy Violation

In case this policy is not abode by employees the following actions will be taken (depending on the severity of the behavior):

• Corrective Action Plan (CAP): if a minor violation
• Termination of Employment: if a severe violation

Workplace Harassment Policy

Policy brief & purpose

Secure Group prohibits harassment of any kind, including sexual harassment, and will take appropriate and immediate action in response to complaints or knowledge of violations of this policy. For purposes of this policy, harassment is any verbal or physical conduct designed to threaten, intimidate or coerce an employee, co-worker, or any person working for or on behalf of Secure Group.

Scope

This workplace harassment policy applies to all employees, contractors, customers and anyone else whom employees come into contact with at work.

Policy Elements

What is the definition of harassment in the workplace?

Harassment includes bullying, intimidation, direct insults, malicious gossip. Instances that we consider harassment:

• Sabotaging someone’s work on purpose
• Being rowdy and disruptive
• Yelling and speaking loudly and in a rude manner to any of your colleagues
• Engaging in frequent or unwanted advances of any nature, including sexual harassment.
• Commenting derogatorily on a person’s ethnic heritage or religious beliefs
• Starting or spreading rumors about a person’s personal life.
• Ridiculing someone in front of others.

Procedure

Reach out to HR in any case of harassment no matter how minor it may seem. For your safety, contact HR as soon as possible in cases of serious harassment (e.g. sexual advances) or if your manager is involved in your claim. Anything you disclose will remain confidential.

Policy Violation

In case this policy is not abode by employees the following actions will be taken (depending on the severity of the behavior):

• Corrective Action Plan (CAP): if a minor violation
• Termination of Employment: if a severe violation

Source Code Policy

Policy brief & purpose

This policy has the objective of ensuring that all employees are informed of how to use open source. The Source Code policy exists to maximize the impact and benefit of using open source and to ensure that any technical, legal or business risks resulting from that usage are properly mitigated.

Scope

This policy applies to all our employees and anyone who has permanent or temporary access to our systems and hardware.

Policy Elements

Usage of Open Source

Our employees are allowed to use Open Source accordingly to the license.

Share Company's Source Code

Sharing our Company Source Code is strictly forbidden. This includes and is not restricted to:

• Publish our source code in a public repository
• Share (written or verbally) our source code and guidelines with anyone outside our Company
• Copy or distribute our source code for any purpose that is not related to our business.

Procedure

If you're using Open Source, discuss the licensing implication with your manager.

Policy Violation

In case the employee does not follow this policy, the following action will be taken:

• Termination of Employment

Data Protection and Privacy Policy

Policy brief & purpose

The core purpose of our business is cybersecurity and data protection. Because of that, we also have a policy for the information of our employees. This policy has the objective of clarifying how our organization processes personal data and how it applies data protection principles.

Scope

This policy and privacy notice refer to all parties (employees, job candidates, customers, suppliers, etc.) who provide any amount of information to us.

Who is covered under the Data Protection Policy?

Employees of our company and its subsidiaries must follow this policy. Contractors, consultants, partners, and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.

• Information about the company, being the personal data controller:

Name of the company, Seat and Registered Address	SECURE GROUP LAB OOD Sofia 1113, Iztok Dstr., 13b Tintyava str., floor 6
Contact with SECURE GROUP LAB OOD	https://lab.securegroup.com/ [email protected] Tel.: +35924167745 ext. 616
Represented by	Dominic Gingras and Evdokia Garkova

Policy Elements

As part of our operations, we need to obtain and process information for you as our employee, containing personal data. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data, etc.
Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available to us, the following rules apply. Our data will be:

• Accurate and kept up-to-date
• Collected fairly and for lawful purposes only
• Processed by the company within its legal and moral boundaries
• Protected against any unauthorized or illegal access by internal or external parties
• Your data, which you provide to us will not be:
• Communicated informally
• Stored for more than a specified amount of time
• Transferred to organizations, states or countries that do not have adequate data protection policies
• Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from law enforcement authorities)

In addition to ways of handling the data, the company has direct obligations towards you - individuals to whom the data belongs. Specifically, we must:

• Let the individuals know which of their data is collected
• Inform individuals about how we’ll process their data
• Inform individuals about who has access to their information
• Dispose of with procedures in cases of lost, corrupted or compromised data
• Allow individuals to request that we modify, erase, reduce or correct data contained in our databases

List of categories and types of personal data, which we shall process for you as employees of “Secure Group Lab” OOD

In order for us to conclude an employment/ civil contract with you, we shall collect and use the following information of yours, which represents personal data: contact details:

• name, permanent address, e-mail address, phone number;
• data related to payment services and receipt of your employment remuneration/ fees: bank account number, financial status;
• data in connection with education and qualifications: data from diploma for accomplished educational degree, membership in professional organizations, qualifications, etc.;
• data about your professional experience: former job positions, employment length of service, social insurance length of service and references from previous employers;
• data for the conclusion of the employment/ civil contract, related to the physical identity: three names, PIN, address, ID data, place of birth, citizenship, nationality.

In the event it becomes necessary for us to request additional information from you in the course of your work at the Company, we shall collect, keep and use (i.e. process) your personal data in accordance with this Data protection policy. Such additional data could be, for instance, data about your family identity, such as marital status regarding the payment of paid leave due to contracted marriage. In certain cases, in order to fulfill some statutory or other legal obligations, arising out of the concluded employment/ civil contract, we shall collect and process personal data provided by you, which pertains to your health status.
Use of personal data provided when applying for a job position with our Company: When entering into employment/ civil contracts with the Company, we shall collect, keep and use the personal data, as provided by you by means of your CV and/or application form. In all events, all information representing personal data that have been extended to us for the purposes of your job application with us shall be collected, kept and used in accordance with this Privacy Notice.
Use of personal data during the course of your duties and functions:

• Video data from the video surveillance system: in order to ensure smooth and unimpeded passing of the working process, as well as to protect the Company’s assets from illegal encroachment in the offices and common premises.
• Geolocation data: for accounting and reporting purposes and in connection with all company expenses, including fuel expenses and company cars consumables, as well as tracing out the observance of the working time, and reporting of time for performance of deliveries, we have placed GPS tracking devices on all company vehicles. During their driving, data are being reported and processed, including personal data, related to the location of the vehicle.
• Data about the internet activity of the employees realized during work time or with company devices, such as visited IP address, time of visit, name, and version of the web-browser, operation system and other parameters, provided from the web-browser, through which the access is made and all other information in this respect.

How do we protect your personal data?

Your personal data are kept on electronic carriers on servers located in the European Union and are accessible only by other designated employees of the Company (the Manager, the Financial Manager and/or HR Administration) and/or employees of the external accountancy, for the processing purposes pointed hereinabove.

Transfer of personal data

We do not provide your personal data outside the EU/EEA. In the event that your personal data are provided (transferred) outside the borders of the EU/ EEA, we shall ask for your additional consent and shall, in addition, provide you with information about the safeguards, which the receiving party ensures in connection with the personal data protection.

Retention periods

We retain your personal data only for as long as necessary, so to observe the statutorily prescribed period of time, as defined by the labor legislation, as well as so to protect the legitimate rights and interests of Secure Group Lab OOD in the event of possible claims, appeals, litigation proceedings, inquiries and investigations throughout or after termination of your employment/ civil contract. According to the requirements of the Labour Code, Tax and Social Procedure Code, the Accounting Act and the Ordinance of the Labour Record and the Labour Length of Service, the employer shall retain for a period not shorter than 50 (fifty) years, as of 1st of January of the reporting period, following the reporting period, which they pertain to, on paper and/ or electronic carrier, the employment contract, and all documents, attesting the remunerations paid to the employees. All other documents from the employee file will be kept, on paper and/ or electronic carrier, for a period of 6 (six) years as of the termination of the respective labor relationship.
Civil contracts and documents attesting the remunerations paid to the contractors are to be kept for a period of 10 (ten) years, as of 1st of January of the reporting period, following the reporting period, which they pertain to, on paper and/ or electronic carrier; any other documents from the contractor file will be kept for a period of 5 (five) years as of termination of the respective relationship.

Your rights

You may accomplish each of the below-pointed rights, which you dispose of, by addressing us with an application in writing at the contact addresses listed in point I hereinabove. Your rights in connection with your personal data are the following:

• The right of access to information regarding the modalities of the processing of personal data and information what personal data Secure Group Lab OOD is processing for your;
• In the event you consider that some personal data are untrue or incomplete, the right to request rectification or supplementation/ update of your personal data;
• The right to request form the Company to restrict or prohibit the processing of your personal data for certain specific purposes;
• The right to data portability;
• The right to file a request for your personal data to be deleted; and
• The right to file an appeal with the Personal Data Protection Commission
• All applications and requests received by Secure Group Lab OOD shall be reviewed in accordance with the relevant legislation in the sphere of personal data protection.

Your obligations as employee

• You shall undertake to inform the representatives of the Company or the Manager of the department that you work in if you become aware of a breach or violation in the process of collecting, processing or storing of personal data.
• You shall be acquainted with the overall policy for personal data protection, which the Company abides by.
• You shall be acquainted with the risks relating to the personal data, processed by the Company.
• As our employee, you undertake to not disseminate to third parties, including to other staff members from the personnel of the Company, the personal data which you have gained access to during or on the occasion of fulfilling your duties in the Company.
• You shall undertake to destruct any information carriers (on paper and electronically), containing personal data, according to the Procedure for due destruction of personal data, adopted in the Company.
• You shall be acquainted with and accept the Internal Employment Rules, approved by the Employer.

Procedure

To exercise data protection we’re committed to:

• Restrict and monitor access to sensitive data
• Develop transparent data collection procedures
• Train employees in online privacy and security measures
• Build secure networks to protect online data from cyber attacks
• Establish clear procedures for reporting privacy breaches or data misuse
• Include contract clauses or communicate statements on how we handle data
• Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization, etc.)

Policy Violation

In case this policy is not abode by employees the following actions will be taken (depending on the severity of the behavior):

• Disciplinary action: if a minor violation
• Termination of Employment and legal action: if a severe violation

Employee Confidentiality Policy

Policy brief & purpose

This policy explains what's the appropriate and ethical behavior when it comes to confidential data we use in our Company.

Scope

This policy applies to all employees who have access to confidential information.

Policy Elements

Confidential and proprietary information is secret, valuable, expensive and/or easily replicated. Common examples of confidential information are:

• Unpublished financial information
• Data of Customers/Partners/Vendors
• Patents, formulas or new technologies
• Customer lists (existing and prospective)
• Data entrusted to our company by external parties
• Pricing/marketing and other undisclosed strategies
• Documents and processes explicitly marked as confidential
• Unpublished goals, forecasts, and initiatives marked as confidential

Procedure

What employees can do

• Lock or secure confidential information at all times
• Shred confidential documents when they’re no longer needed
• Make sure they only view confidential information on secure devices
• Only disclose information to other employees when it’s necessary and authorized
• Keep confidential documents inside our company’s premises unless it’s absolutely necessary to move them

What employees can't do

• Use confidential information for any personal benefit or profit
• Disclose confidential information to anyone outside of our company
• Replicate confidential documents and files and store them on insecure devices
• Share source code to any external parties
• Maintain personal relations with former employees, suppliers and/or clients that have on-going litigation with Secure Group
• Maintain personal relations with former employees that were dismissed because of severe immoral behavior

Confidentiality Measures

Measures to ensure that confidential information is well protected:

• Store and lock paper documents
• Encrypt electronic information and safeguard databases
• Keep our source code secure on your workstation or in our version control system (Bitbucket, Gerrit, Harbor)
• Ask employees to sign non-compete and/or non-disclosure agreements (NDAs)
• Ask for authorization by senior management to allow employees to access certain confidential information

Exceptions

Confidential information may occasionally have to be disclosed for legitimate reasons. Examples are:

• If a regulatory body requests it as part of an investigation or audit
• If our company examines a venture or partnership that requires disclosing some information (within legal boundaries)
• In such cases, employees involved should document their disclosure procedure and collect all needed authorizations. We’re bound to avoid disclosing more information than needed.

Policy Violation

In case the employee does not follow this policy, the following action will be taken:

• Disciplinary action: if a minor violation
• Corrective Action Plan (CAP): if a severe violation
• Termination of Employment and legal action: if an extremely severe violation

We’ll investigate every breach of this policy. We’ll terminate any employee who willfully or regularly breaches our confidentiality guidelines for personal profit. We may also have to punish any unintentional breach of this policy depending on its frequency and seriousness. We’ll terminate employees who repeatedly disregard this policy, even when they do so unintentionally. This policy is binding even after the separation of employment.

Business Trips Policy Policy

Policy brief & purpose

Our business trip policy explains what are the conditions for traveling, accommodation, transportation and related expenses when the employee goes out of town for business purpose as well as the criteria for reimbursements.

Scope

This policy applies to all employees.In this policy, we refer to ‘travel’ meaning a business trip to a different city than the one we are in.

Policy Elements

As our employee, you may need to travel for company purposes. This includes trips to:

• Meet with clients or partners.
• Attend events, like conferences, where you’ll represent our company.
• Visit our company’s offices in other locations.
• Give presentations on behalf of our company.

For this kind of travel, we’ll reimburse transportation and accommodation expenses, and we will provide a daily allowance. Employee expenses fall under two categories:

• Expenses that are paid directly by our company on behalf of employees.
• Expenses that are paid by our employees and are reimbursable.

We’ll reimburse all reasonable business expenses, after they are approved, in part or in full as the case may be.

Legal/ medical expenses

If you need to travel to countries that need a visa or other documentation to enter, we’ll cover all relevant expenses (excluding expenses for issuing passports). The same applies to medical expenses, like medical insurance for travelers and vaccinations.

Transportation expenses

When traveling for company purposes, the company books and pays tickets for any kind of transportation. You should cover any additional expenses on your own.

Local transportation expenses

When in your destination, you can take taxis to move around the area for business purposes. Always ask for receipts and we’ll reimburse fares for traveling:

• From airport/ stations to your hotel and back.
• To and from every place you go for company purposes (like conference halls, lunches with clients or client offices).

We won’t reimburse transportation expenses for trips to museums or other places for personal purposes.

Accommodation

When traveling for company purposes, the company will book the room for you and pay for your stay. We might have negotiated a contract with a hotel to achieve a discount. We won’t reimburse any extra room-related charges incurred.

Expenses while on a trip

During a business trip, you’re entitled to a daily allowance to cover for lunch and dinner.

Non-reimbursable expenses

We won’t reimburse the following:

• Un-authorized service upgrade (e.g. business class or hotel rooms)
• Personal services (massages, beauty treatments, etc.)
• Personal purchases (gifts, clothes, etc.)
• Lost personal property (e.g. luggage)

This list is not exhaustive. Please ask HR about reimbursable expenses before you go on a business trip.

Procedure

When you are about to go on work-related trips, the Operations team will typically arrange for most of your accommodation and transportation costs and document these expenses. You need to:

• Document any expenses that our company hasn’t directly arranged for (e.g. taxi fares.) You cannot be reimbursed if you do not provide a receipt.
• You will receive a daily allowance to cover other necessary travel expenses.
• Submit your reimbursement claim or submit an expense report with all necessary documentation. Please submit your claim/report within a week after your trip.

Your manager and HR are responsible for approving reimbursement claims. If they are approved, you will receive your reimbursement next pay period. We’ll investigate any excessive expenses. In cases of consistent falsified or exaggerated claims, we may take disciplinary action.

Policy Violation

In case the employee does not follow this policy, the following action will be taken:

• Disciplinary action

Company Equipment Policy

Policy brief & purpose

This policy explains the conditions for using equipment provided by our Company and which actions are taken if an incident happens with it.

Scope

This policy applies to all employees. The equipment provided is laptops and/or mobile phones.

Policy Elements

Equipment Loan

When the Company provides laptop and/or mobile phone (“Equipment”) to an employee, the latter shall be obliged to:

• Use equipment only for the prescribed purposes, namely for company purposes. No additional software may be added to the laptop/smartphone other than provided by the Employer or authorized for use;
• Keep the equipment in a secure place when it is not in use and to protect it from theft and/or damage;
• Return all equipment provided by the Employer in good working condition at the conclusion of the labor relation, taking into account the normal wear and tear;
• In the event of non-performance of the above obligations, the employee shall be obliged to compensate the Employer in accordance with the rules and in the amounts pointed in Schedule 1 below.

Procedure

Rules and Amounts of Liability

The following rules and amounts of liability shall apply for the cases pointed above:

• Schedule 1 – Rule and amounts of liability

Item	Break it	Lose it	Amortization	Documents
Laptop	The full amount of repair during the notice period for physical damage First-time physical damage is paid 100% by the Company Second-time physical damage is paid 50% by the Company and 50 % by the employee. Subsequent physical damages are paid by the employee 100 % Normal wear and tear on account of the Company	The employee must provide a police report. The employee pays the full amount during the notice period. First time lost 50 % paid by the employee. Second and subsequent time – at the expenses of the employee 100 %	Market value (EBay)	When you get the equipment
Phone	The full amount of repair during the notice period for physical damage First-time physical damage is paid 100% by the Company Second-time physical damage is paid 50% by the Company and 50 % by the employee. Subsequent physical damages are paid by the employee 100 % Normal wear and tear on account of the Company	The employee pays the full amount during the notice period. First time lost paid 50 % by the employee. Second and subsequent time – at the expenses of the employee 100 %	Market value (EBay)	When you get the equipment
Training	N/A	N/A	1 year (value/12 months) – you pay the number of remaining months	When the training is scheduled
Online Training	N/A	N/A	1 year (value/12 months) – you pay the number of remaining months. The employer pays 80%, the employee pays 20%.	When the training is scheduled
Event	N/A	N/A	1 year (value/12 months) – you pay the number of remaining months	When the event is scheduled

Policy Violation

In case this policy is not abode by employees the following actions will be taken:

• Disciplinary action: if the issue happens frequently

Event Participation Policy

Policy brief & purpose

We believe that employees' participation in events is very valuable for the following reasons:

• Networking opportunities
• Professional development
• Content opportunities
• Brand exposure
• Inspired morale

This policy has the objective of clarifying the conditions and requirements for when employees participate in external events.

Scope

This policy applies to all employees.

Policy Elements

There are two main reasons why the Company may refer employees to attend events:

• To represent Secure Group: headhunt, build business relationship (customer and/or suppliers), market research, competitive analysis, or to give a conference.
• To stimulate development and growth in your Framework: attend a training, attend a conference

When the Company pays the expenses for events attended by employees, the latter shall be obliged:

• To be a Level 3 or UP
• To work with the company for a term of at least 12 months after the conclusion of the respective event;
• Reimburse to the company the respective part of the expenses for the training or the event, if he/she leaves the company or upon termination of the labour agreement with the employee due to his/her fault prior to the expiration of 12 months.

Procedure

• All employees are encouraged to propose event participation if they believe it's valuable to Secure Group.
• Event's participation will be logged in BambooHR
• A written report may be requested in order to share the acquired knowledge with the other employees.

Policy Violation

In case this policy is not abode by employees the following actions will be taken:

• Disciplinary action

Training Benefit Policy

Policy brief & purpose

To stimulate development and growth within your Framework you are encouraged to attend trainings. This policy explains what are the conditions and requirements for our employees to attend external trainings.

Scope

This policy applies to all employees.

Policy Elements

The Company pays for the training of employees and the latter shall be obliged:

• Each employee has a training budget of 100 BGN to spend yearly on training, seminars, books or any activity/resource related to their career development. It's up to the employee and manager to agree on how the budget will be spent.
• To be previously addressed in the employee's K-POC
• To work with the company for a term of at least 12 months after the conclusion of the respective training or event;
• Reimburse to the company the respective part of the expenses for the training or the event, if she/he leaves the company or upon the termination of the labor agreement with the employee due to his/her fault prior to the expiration of 12 months.

Procedure

• All employees are encouraged to request training participation if they believe it's valuable to Secure Group and if it matches the development expected in their Framework.
• Training time off should be logged in BambooHR.

Policy Violation

In case this policy is not abode by employees the following actions will be taken:

• Disciplinary action

Termination of Employment Policy

Policy brief & purpose

This policy aims to clarify the possible reasons and conditions for voluntary and involuntary contract termination.

Scope

This termination of employment policy applies to all employees of the company in regard to possible termination of employment.

Policy Elements

The Company will observe all legal dictations referring to the termination of employment and will avoid to the best possible extent unnecessary terminations.

What is the termination of employment?

Termination of employment happens when the contract of an employee is discontinued due to their or the Company’s actions. The termination may be categorized as voluntary or involuntary.
Voluntary termination may include inter alia the following:

• Resignation, meaning each unilateral termination by the employee, including in case of retirement.
• Expiration or completion of the contract (in case of a fix term contract);
• Termination upon mutual consent.

Depending on the ground for the termination the employee may be obliged to give notice a specified amount of time prior to the date of termination as determined in the law or in the individual employment contract. If the employee will stop working before the expiry of the notice period, the employee will provide the Company compensation for the time remaining, specified as “pay in lieu of notice” (compensation for non-observance of the notice period).
Involuntary termination may include inter alia the following:

• Unilateral termination by the employee without disciplinary cause;
• Disciplinary dismissal by the employer for a disciplinary cause.
• Discharge for disciplinary cause refers to the right of the Company to immediately terminate employment due to an employee’s disciplinary guilty misconduct and constitutes a disciplinary sanction within the meaning of the Labour Code.

Examples of such termination of employees include circumstances where an employee:

• Breaches their contract of employment
• Is discovered guilty of fraud, embezzlement or other kinds of illegal actions against the company
• Is guilty of discriminatory behavior or harassment
• Is guilty of unlawful or immoral behavior on the job
• Is guilty of willful neglect of job responsibilities
• Is discovered to have caused intentional damage to the company’s assets
• Continuously disregards company policy
• Reporting for work late, leaving early, being absent from work of failing to utilize working time efficiently
• Abusing the confidence and damaging the reputation of the enterprise, as well as disclosure of data which is confidential in respect of the enterprise
• Other grave breaches of the labor discipline (reference is made also to the Disciplinary procedure policy of the Company).

The list is not exhaustive therefore, discharge for disciplinary cause remains at our Company’s discretion, upon the observance of the rules for the imposition of disciplinary sanctions set forth in the law. It must however always reflect an unacceptable behavior or action that violates legal or Company guidelines or may result in financial and non-financial damages for the company, other employees or society.
Discharge without disciplinary cause can occur when for example the Company decides that the services of an employee are no longer needed. Discharge without disciplinary ground does not refer to an employee’s guilty misconduct. Reasons for discharge without disciplinary cause may be layoffs, rearrangement of a department or redefining of a position, closure of the enterprise or part thereof, impossibility of the Company to offer an appropriate work to an employee with certified reduced working ability, where the employee becomes entitled to a pension for social instance length of service and age, where performance of the employment contract is objectively impossible, the employee lacks the capacities for efficient performance of the work or for other reasons explicitly listed in the Labour Code. In some cases, an employee must be terminated without disciplinary cause, the Company is obliged to give notice a specified amount of time prior to the date of termination as determined by the law or in the employment contract. If the employee has to stop working before the expiry of the notice period, the company will still provide compensation for the time remaining, specified as “pay in lieu of notice” (compensation for nonobservance of the notice period). In any case of termination – i.e. irrespective of the termination ground Company should pay the terminated employee compensation for accrued vacation time (compensation for the remaining unused paid annual leave).
The Company is bound by the law to refrain from wrongful dismissals of employees. Wrongful dismissal may occur in inter alia cases when:

• An employee is terminated unfairly for cause
• An employee is terminated without an explicitly listed in the law cause.

Procedure

In cases of resignation (unilateral termination by the employee), the employee must submit an official termination notice to the immediate supervisor. On the same date, the termination notice must be copied and submitted by the supervisor to the Human Resources department, where the notice shall be recorded into the Company registers/ books and vested with a remark on the ongoing number and date of submission.
In cases of involuntary dismissal, the employee must be provided with written notification by the employer. The Company has to notify the employee of the termination a specified amount of time in advance as determined in the Labour Code or in the employment contract. When certain severance pay (compensation on occasion of the termination) is due, it will be stated in writing in the respective ordinance on termination.
For each case of termination, the Company shall issue and deliver to the employee a termination ordinance (beyond the other documents that might be created depending on the ground for the termination). The Company has to fill in relevant data regarding the termination in the employee’s labor booklet and deliver it to the employee in due course upon termination. At all times, proper employee records will be kept containing all relevant documentation. A lawyer will be consulted prior to termination to the Company can ensure the legality of its actions.

Policy Violation

Termination of contract is guaranteed by the Bulgarian Labor Law, therefore there are no reprimands when it's required.

Disciplinary Action Policy

Policy brief & purpose

This policy aims to clarify the possible reasons and conditions for disciplinary action to be taken.

Scope

This policy applies to all our employees.

Policy Elements

Disciplinary actions may be initiated by the Company in case of established breaches of the labor discipline. A culpable failure to fulfill labor duties shall constitute a breach of work discipline. Please note: a Disciplinary action can occur at the same time as a Corrective Action Plan (CAP).

Systematic Disciplinary action

A Systematic Disciplinary action constitutes of three steps:

• First, a reprimand will be issued. In case if re-incidence the employee will receive a warning of dismissal and finally if the problem is not solved, we will terminate the employment contract.

Examples that could lead to a systematic disciplinary action:

• Failure to meet performance objectives, which is due to the guilty behavior of the employees
• Guilty failure to meet deadlines
• Willful neglect of job responsibilities
• Immoral behavior on the job
• Lost temper in front of customers or partners
• Unwillingness to follow health and safety standards
• Losing temper in front of customers or partners
• Discriminatory behavior or harassment
• Causing intentional damage to the company’s assets
• Disregarding of company policy and non-execution of lawful orders of the employer
• Reporting for work late, leaving early, being absent from work of failing to utilize working time efficiently
• Non-fulfillment of other labor duties.

Instant Contract Termination

In case of severe violations to our labor discipline and conduct, we reserve the right to skip the three steps of the Systematic Disciplinary action and terminate the employment contract immediately. Examples that could lead to instant contract termination:

• Severe Immoral behavior on the job
• Misuse of the trust of the employer
• Leaking confidential information
• Severe unwillingness to follow health and safety standards
• Corruption/ Bribery
• Workplace Violence
• Embezzlement/Fraud or other kinds of illegal actions against the Company
• Causing severe intentional damage to the company’s assets
• Abusing the confidence and damaging the reputation of the enterprise, as well as disclosure of data which is confidential in respect of the enterprise

Procedure

The disciplinary procedure starts with the employer’s request to the employee to provide written or oral explanations on the breach within a term set forth in an ordinance of the employer in which the established so far circumstances which substantiate the commitment of a disciplinary breach shall be included. The failure or the rejection of the employee to provide an explanation does not impede the Company to continue the disciplinary procedure and to impose a disciplinary sanction after having gathered and accessed relevant evidence.
The Company may choose the appropriate sanction upon its own discretion. It decision depends on frequency and gravity of the breach (one-time minor offense or frequent offender, minor or major breaches, etc.), employees’ reaction to disciplinary procedures conducted with regard to former breaches, whether they repent their behavior and the nature of their offense/breach, the circumstances of the commission, as well as the conduct of the employee.
Only one disciplinary sanction may be imposed for one and the same breach of work discipline. However, before an employee is penalized the Company shall have the right, but not the obligation, to discuss correcting actions with an employee by granting the employee a reasonable term to correct her/his conduct and behavior. The employee may receive actionable feedback on how to deal with a reach.
Disciplinary sanctions shall be imposed within the terms set forth in the law by a motivated order in writing, which shall specify the identity of the offending employee, the breach and the date of commission, the sanction and the provision of the law pursuant to which the sanction is imposed. Disciplinary sanction order shall be served on the worker or employee upon signed acknowledgment of service, noting the date of service. Should it be impossible to serve the order on the worker or employee, the employer shall send the said order to the said worker by registered mail with advice of delivery.
The disciplinary sanction shall be considered imposed as from the day of delivering the order to the employee or as from the day of receipt of the said order, where the order has been by registered mail. Simultaneously with or irrespective of whether a procedure for imposing a disciplinary sanction the employer or the immediate supervisor or may suspend from work without paying an employee who reports for work in a state which prevents him/her from performing his or her labor duties, consumes alcoholic beverages or other strong intoxicating substances during working time. The suspension continues until the worker or employee restores his or her fitness to execute the work assigned thereto.
In case of a disciplinary breach, the Company may also decide on the detraction of certain benefits as long as they are not mandatory by law. For detriment caused to the Company due to a breach of labor discipline simultaneously with the imposition of disciplinary sanction, the employee may be exposed to financial liability toward the Company. We are obliged to refrain from disciplinary actions that may constitute retaliatory behavior. A no retaliation company policy will be effective at all times to ensure there is no misuse of the disciplinary procedures provided in the law and in this policy. Any disciplinary action launched by the Company should serve the purpose to enforce discipline in a fair and lawful manner.

Policy Violation

Disciplinary actions are guaranteed by the Bulgarian Labor Law, therefore it's in the Employer's right to enforce them. In case the employees do show any improvements on their behavior, the following actions will be taken:

• Corrective Action Plan (CAP): may occur along with the Disciplinary action
• Termination of Employment: if a severe violation

Corrective Action Plan (CAP) Policy

Policy brief & purpose

This policy explains in which conditions our employees can be assigned Corrective Action Plan and what are the steps that need to be taken in order to lift it.

Scope

This policy applies to all our employees.

Policy Elements

A CAP is a Corrective Action Plan that is assigned to our employees whenever they have over time demonstrated:

• Non-compliance with Secure Group internal policies.
• No adherence to the Culture Code
• Other actions, attitudes, and/or behavior deemed in contrast with Secure Group Culture Code (page 35 from Secure Group Management Model presentation on Secure Group Wiki's home page).

Please note: a CAP can occur at the same time as a Disciplinary action

Procedure

Attendance	Outcome	Follow Up
Employee: Attends 1-on-1; discusses the issue(s) in question with direct manager and receives the CAP. HR: is present at 1-on-1 to affirm the issue(s) in question (if needed).	Positive outcome (employee has met objectives after approved CAP): CAP is lifted. Negative outcome (employee has failed to meet approved CAP objectives): Escalation to HR and contract termination.	Employee: implements objectives and attends second 1-on-1 with the direct manager within 30 days.

Policy Violation

In case this policy is not abode by employees the following actions will be taken:

• Disciplinary action: may occur along with the CAP if it's a minor violation
• Termination of Employment: if a severe violation or a CAP negative outcome